Integrating other systems with Venafi products

Every API integration needs to register with Venafi. Registering your Integration allows the client to get an OAuth access token and refresh token with permissions to the REST API endpoints your integration needs. API calls automate your work. By default, all Venafi products, utilities, and other open-source projects are pre-registered. You only need to register integrations from the Venafi Marketplace or your own custom-built integrations.

How does it work? 

The API Integration wizard registers details about API calls that the client will make. After registration, the client requests a REST authorization using that same information. The VEDAuth service responds with an access token to allow the client to make API calls. The token is valid until it expires or is revoked. This eliminates the need to continuously get new API keys.

If configured for your integration, you also get a refresh token. When a token expires, the refresh token allows you to get an access token from the same grant. Refresh tokens allow you to get new tokens without re-authenticating to the VEDAuth service. A refresh token is valid only once and it remains valid until your grant expires.

First things first

  • Familiarize yourself with OAuth terms and the flow process. For more information, see About API integrations.

  • From the developer, get a list of scopes and restrictions based on the integration’s needs. Need help? Use this basic chart.

What scope and restrictions are available? 

Scope and Developer Example

Privileges and Restrictions

Approve Delete Discover

Manage

Revoke

[Other]

admin
scope: admin:recyclebin,delete

 

 

 

 

recyclebin

agent
scope: agent:delete

 

 

 

 

 

certificate
scope: certificate:approve,delete,discover,manage,revoke

 

codesign

scope: codesign:approve,delete,manage

 

 

codesignclient
scope: codesignclient

 

 

 

 

 

This is a read-only privilege.

configuration
scope: configuration:delete,manage

 

 

 

 

restricted
scope:restricted:delete,manage

 

 

 

 

security
scope: security:delete,manage

 

 

 

 

ssh
scope: ssh:approve,delete,discover,manage

 

 

statistics (requires Vendor integration)
scope:statistics

 

 

 

 

 

This is a read-only privilege.

(Read access) Specify a scope.
scope:certificate

(Many scopes) Use a semi-colon (;)
between each scope.
scope:ssh;certif
icate:discover,manage
;
configuration:manage

 

 

 

 

 

 

To register (create) a new integration

  1. If you've not done so, set the expiration and refresh time for tokens. See Setting up token authentication.
  2. From the Platform menu bar, click APIIntegrations.
  3. Do one of the following:

What's next?